Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[aws_wafv2_web_acl] Web ACL update-in-place fails #14035

Closed
Tailzip opened this issue Jul 2, 2020 · 5 comments · Fixed by #14616
Closed

[aws_wafv2_web_acl] Web ACL update-in-place fails #14035

Tailzip opened this issue Jul 2, 2020 · 5 comments · Fixed by #14616
Labels
bug Addresses a defect in current functionality. service/wafv2 Issues and PRs that pertain to the wafv2 service.
Milestone
v3.2.0

Comments

@Tailzip
Copy link
Contributor

Tailzip commented Jul 2, 2020
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform version : 0.12.20
AWS provider version : 2.68.0

Affected Resource(s)

  • aws_wafv2_web_acl

Terraform Configuration Files

resource "aws_wafv2_web_acl" "waf_web_acl" {
  name        = "delete-me-demo"
  description = "to be deleted..."
  scope       = "REGIONAL"

  default_action {
    allow {}
  }

  rule {
    name     = "rate-limit"
    priority = 0

    action {
      block {}
    }

    statement {
      rate_based_statement {
        limit              = 1000
        aggregate_key_type = "IP"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = false
      metric_name                = "rate-limit-delete-me-demo-metric-name"
      sampled_requests_enabled   = false
    }
  }

  tags = {
    foo = "bar"
  }

  visibility_config {
    cloudwatch_metrics_enabled = false
    metric_name                = "delete-me-demo-metric-name"
    sampled_requests_enabled   = false
  }
}

Debug Output

https://gist.github.com/Tailzip/23feef7ef2d6c325da1812e631f62a9c

Expected Behavior

Web ACL is updated-in-place without error.

Actual Behavior

Web ACL isn't updated-in-place. terraform apply fails with the following error message :

Error: Error updating WAFv2 WebACL: WAFInvalidParameterException: Error reason: Your statement has multiple values set for a field that requires exactly one value., field: STATEMENT, parameter: Statement
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "11e05729-fdb9-44e2-bbdc-8677eb7302c8"
  },
  Field: "STATEMENT",
  Message_: "Error reason: Your statement has multiple values set for a field that requires exactly one value., field: STATEMENT, parameter: Statement",
  Parameter: "Statement",
  Reason: "Your statement has multiple values set for a field that requires exactly one value."
}

In the debug log attached, you can clearly see that the JSON body of the POST request to update the web ACL is missing data under the Statement key :

{
  "DefaultAction": {
    "Block": {}
  },
  ...
  "Rules": [
    {
      "Action": {
        "Block": {}
      },
      "Name": "rate-limit",
      "Priority": 0,
      "Statement": {},
      "VisibilityConfig": {
        "CloudWatchMetricsEnabled": false,
        "MetricName": "rate-limit-delete-me-demo-metric-name",
        "SampledRequestsEnabled": false
      }
    }
  ],
  ...
}

Steps to Reproduce

  1. terraform apply
  2. Update default_action block content from allow {} to block {}
  3. terraform plan shows :
# aws_wafv2_web_acl.waf_web_acl will be updated in-place
~ resource "aws_wafv2_web_acl" "waf_web_acl" {
  ...
  ~ default_action {
    - allow {}

    + block {}
  }
  ...
}
  1. terraform apply fails...
@ghost ghost added the service/wafv2 Issues and PRs that pertain to the wafv2 service. label Jul 2, 2020
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Jul 2, 2020
@Tailzip Tailzip changed the title WAFv2 web ACL update-in-place fails [aws_wafv2_web_acl] Web ACL update-in-place fails Jul 2, 2020
@ewbankkit
Copy link
Contributor

Similar:

@breathingdust breathingdust added bug Addresses a defect in current functionality. and removed needs-triage Waiting for first response or review from a maintainer. labels Jul 3, 2020
@anGie44 anGie44 mentioned this issue Jul 7, 2020
Closed
@ewbankkit ewbankkit mentioned this issue Jul 17, 2020
Closed
@anGie44 anGie44 mentioned this issue Jul 24, 2020
Closed
@whizz0
Copy link

whizz0 commented Aug 12, 2020

I'm getting the same error while TF plan shows update only in AWS tags, nothing else.
Using aws provider v. 2.70.0

This was referenced Aug 13, 2020
Merged
Closed
@anGie44 anGie44 added this to the v3.2.0 milestone Aug 13, 2020
@anGie44
Copy link
Contributor

anGie44 commented Aug 13, 2020

A fix has been merged and will release with v3.2.0 of the Terraform AWS Provider, expected out later today.

@ghost
Copy link

ghost commented Aug 14, 2020

This has been released in version 3.2.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Sep 13, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Sep 13, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/wafv2 Issues and PRs that pertain to the wafv2 service.
Projects
None yet
Milestone
v3.2.0
5 participants
@breathingdust @Tailzip @ewbankkit @anGie44 @whizz0